The Linux Administration group is for the discussion of technical issues technical issues that arise during the administration of Linux systems, including maintaining the operating system and supporting end-user applications.

Port forwarding

I have a network setup with some machines are in public network and some are
in private network.
All the public machines are running with Linux.
One of our private machine is running with Windows XP and we are running one
web application on the same.
Now our requirement is that anybody can connect to this machine and use the
web application from outside also.
But I don't want to keep this machine on public network directly for
security purpose.
So another way is to configure port forwarding on the machine which is
already in public network.

What are the steps to configure port forwarding?
Can anybody help me in this regard ?
Which port (http/https) I need to forward from public to private machine?
if http://rtn.vnlab.com/cvs is URL for local access then which URL will be
there after port forwarding.
How can we link URL to web application on private machine

Port Forwarding (DNAT)
One of your goals may be to run one or more servers on your local computers. Because these computers have RFC-1918 addresses, it is not possible for clients on the Internet to connect directly to them. It is rather necessary for those clients to address their connection requests to the firewall who rewrites the destination address to the address of your server and forwards the packet to that server. When your server responds, the firewall automatically performs SNAT to rewrite the source address in the response.
The above process is called Port Forwarding or Destination Network Address Translation (DNAT). You configure port forwarding using DNAT rules in the /etc/shorewall/rules file.
The general form of a simple port forwarding rule in /etc/shorewall/rules is:
#ACTION SOURCE DEST PROTO DEST PORT(S)DNAT net loc:<server local ip address>[:<server port>] <protocol> <port>
Important
Be sure to add your rules after the line that reads SECTION NEW.
Important
The server must have a static IP address. If you assign IP addresses to your local system using DHCP, you need to configure your DHCP server to always assign the same IP address to systems that are the target of a DNAT rule.
Shorewall has macros for many popular applications. Look at the output of shorewall show macros to see what is available in your release. Macros simplify creating DNAT rules by supplying the protocol and port(s) as shown in the following examples.
Example 1. Web Server
You run a Web Server on computer 2 in the above diagram and you want to forward incoming TCP port 80 to that system:
#ACTION SOURCE DEST PROTO DEST PORT(S)Web(DNAT) net loc:10.10.10.2

Example 2. FTP Server
You run an FTP Server on computer 1 so you want to forward incoming TCP port 21 to that system:
#ACTION SOURCE DEST PROTO DEST PORT(S)FTP(DNAT) net loc:10.10.10.1
For FTP, you will also need to have FTP connection tracking and NAT support in your kernel. For vendor-supplied kernels, this means that the ip_conntrack_ftp and ip_nat_ftp modules (nf_conntrack_ftp and nf_nat_ftp in later 2.6 kernels) must be loaded. Shorewall will automatically load these modules if they are available and located in the standard place under /lib/modules/<kernel version>/kernel/net/ipv4/netfilter. See the Shorewall FTP documentation for more information.

A couple of important points to keep in mind:
You must test the above rule from a client outside of your local network (i.e., don't test from a browser running on computers 1 or 2 or on the firewall). If you want to be able to access your web server and/or FTP server from inside your firewall using the IP address of your external interface, see Shorewall FAQ #2.
Many ISPs block incoming connection requests to port 80. If you have problems connecting to your web server, try the following rule and try connecting to port 5000.
#ACTION SOURCE DEST PROTO DEST PORT(S)DNAT net loc:10.10.10.2:80 tcp 5000

At this point, modify /etc/shorewall/rules to add any DNAT rules that you require.
Important
When testing DNAT rules like those shown above, you must test from a client OUTSIDE YOUR FIREWALL (in the 'net' zone). You cannot test these rules from inside the firewall!
For DNAT troubleshooting tips, see FAQs 1a and 1b.
For information about DNAT when there are multiple external IP addresses, see the Shorewall Aliased Interface documentation and the Shorewall Setup Guide.

Thanks for the reply.
So my XP machine has web. Apache is running on the xp box. and we are using
Sonic wall router for our network.
We have some Linux machines on public network.
I didn't do port forwarding in the past. So can you please tell me step by
step how to do port-forwarding?
What are the changes to be made on XP box and configuration on router for
port-forwarding?
Which http port should be forwarded?

As I understand your requirement is some application is running on windows
xp by using some iis application
so you want connect that application to external world without exposing your
windows xp box in to external world (with live ip) in that case you need not
required to make any changes in your windows XP box
you need to make a changes on your sonic firewall,
you do required to do port forwarding for two ports
(1) for HTTP 80
(2) for HTTPS 443

What you will do is forward traffic from public IP to the xp IP for ports
(usually 80, and 443 for SSL) but if your running java or something else you
may need to provide the information so we can let you know the default ports
used for those services. Enable the firewall on the sonic wall router if
available and allow exceptions (should automatically do this if the router
is intelligent by design), i would also disable the firewall on the xp box
initially while setting this up just to verify that it is working, once you
get the simplest functions and set up running then enable the XP firewall
and allow exceptions for Apache application on port 80 and 443.